Multiple vulnerabilities affecting Firefox have been disclosed. Through the use of various JavaScript actions, it is possible to inject arbitrary content on sites that rely on IFRAMEs to display content to the user. It is also possible to read keystrokes using the same vulnerability - risking potential disclosure of passwords or other sensitive information. Another vulnerability can be used to download arbitrary content to the user's download folder - bypassing the delay timers used by some configuration messages. Under specific conditions, this could be used to execute arbitrary content on a victim's system.

Description:

Multiple vulnerabilities affecting the popular Internet browser, Firefox, have been discovered. These vulnerabilities could allow a remote attacker to read keystrokes, inject arbitrary web content and even download and potentially run software of the attacker's choice. Exploit code is readily available for all vulnerabilities.

Mitigation:

Apply caution when visiting untrusted sites and consider disabling support for JavaScript until Mozilla are able to release a patch for the issue. Alternatively, consider the use of an alternate Internet browser, such as Opera. Users should also consider operating Firefox from a less-privileged user account.

Updates:

Not Yet Available

Source:

http://lcamtuf.coredump.cx

Exploits:

http://lcamtuf.coredump.cx

Not Yet Identified